[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] Add some DH clarifications
Update of /home/or/cvsroot/tor/doc
In directory moria:/tmp/cvs-serv29278/doc
Modified Files:
tor-spec.txt
Log Message:
Add some DH clarifications
Index: tor-spec.txt
===================================================================
RCS file: /home/or/cvsroot/tor/doc/tor-spec.txt,v
retrieving revision 1.101
retrieving revision 1.102
diff -u -d -r1.101 -r1.102
--- tor-spec.txt 17 Nov 2005 09:55:44 -0000 1.101
+++ tor-spec.txt 17 Nov 2005 18:14:29 -0000 1.102
@@ -32,8 +32,8 @@
Unless otherwise specified, all symmetric ciphers are AES in counter
mode, with an IV of all 0 bytes. Asymmetric ciphers are either RSA
- with 1024-bit keys and exponents of 65537, or DH where the generator
- is 2 and the modulus is the 1024-bit safe prime from rfc2409,
+ with 1024-bit keys and exponents of 65537, or DH where the generator (g)
+ is 2 and the modulus (p) is the 1024-bit safe prime from rfc2409,
section 6.2, whose hex representation is:
"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
@@ -42,6 +42,10 @@
"A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
"49286651ECE65381FFFFFFFFFFFFFFFF"
+ As an optimization, implementations SHOULD choose DH private keys (x) of
+ 320 bits. Implementations that do this MUST never use any DH key more
+ than once.
+
All "hashes" are 20-byte SHA1 cryptographic digests.
When we refer to "the hash of a public key", we mean the SHA1 hash of the
@@ -239,7 +243,7 @@
Once the handshake between the OP and an OR is completed, both servers can
now calculate g^xy with ordinary DH. Before computing g^xy, both client
- and server MUST verify that the received g^x/g^y value is not degenerate;
+ and server MUST verify that the received g^x or g^y value is not degenerate;
that is, it must be strictly greater than 1 and strictly less than p-1
where p is the DH modulus. Implementations MUST NOT complete a handshake
with degenerate keys. Implementions MAY discard other "weak" g^x values.
@@ -248,12 +252,10 @@
discarded, an attacker can substitute the server's CREATED cell's g^y with
0 or 1, thus creating a known g^xy and impersonating the server.)
- (The mainline Tor implementation discards all g^x values that are less
- than 2^24, that are greater than p-2^24, or that have more than 1024-16
- identical bits. This constitutes a negligible portion of the keyspace;
- the chances of stumbling on such a key at random are astronomically
- small. Nevertheless, implementors may wish to make their implementations
- discard such keys.)
+ (The mainline Tor implementation, in the 0.1.1.x-alpha series, also
+ discarded all g^x values that are less than 2^24, that are greater than
+ p-2^24, or that have more than 1024-16 identical bits. This serves no
+ useful purpose, and will probably stop soon.)
From the base key material g^xy, they compute derivative key material as
follows. First, the server represents g^xy as a big-endian unsigned